companies & products news research white papers webinars videos project help
 
Digital Signage Today
 		 
 
Premium Reports
Event Calendar
Slide shows

Reach thousands of potential customers through KioskMarketplace and its sister sites.

Click to find out how.

 

 

 

 
>Europe

    

Move over TJX: Heartland data breach may be biggest yet

Travis K. Kircher contributor
• 29 Jan 2009

The complaints started in the fall of 2008.

It was around late October when Heartland Payment Systems, a Princeton, N.J.-based company that provides payment processing for roughly 200,000 U.S. businesses, was contacted by Visa and MasterCard about reports of fraudulent activity taking place on cards it had processed.

"Everybody was trying to put the puzzle pieces together," said Jason Maloni, spokesman for Heartland. "We immediately engaged a forensic investigation firm that set about looking at our system from top to bottom."

Maloni claims officials at Heartland didn’t believe the company had any security problems until the week of Jan. 12, when forensic investigators uncovered carefully hidden malware on Heartland’s servers. Its purpose was to identify private cardholder data, record it – and presumably – transmit it to an unknown third party for criminal use.

"The good news is that the software has been removed," Maloni said. "Unfortunately, the bad news is that key data was compromised during a period in the latter part of 2008."

 

Too many unknowns

At this point, it’s difficult to judge just how bad that bad news is. Maloni says his company processes roughly 100 million transactions per month, 40 percent of which are for small-to-medium-sized restaurants. It’s not known how long the malware was on the server, nor whether it was able to transmit data to its intended third party – although Maloni admits the complaints of fraudulent card activity received by Visa and MasterCard would seem to indicate that it did.

Reports vary on exactly how many transactions may have been compromised. A Jan. 20 article in The Washington Post estimates the amount to be in the neighborhood of "tens of millions."

For perspective, the infamous TJX breach – until now thought to be the largest case of card data theft in history – affected 45 million cardholders, though it’s not known how many individual transactions were compromised. The Washington Post article says the Heartland branch may exceed it.

Maloni says it’s far too early to be making comparisons.

"Frankly that is speculation at this point, since we don’t have a firm idea of what numbers are out there," he said.

David Shackleford, the chief security officer at Configuresoft Inc., says the abundance of unknowns is the most troubling aspect of the breach.

"These guys had malicious software installed in their environment that monitored transactions going pretty much across the board, and the big thing about this is they didn’t know when it was installed, how it was installed or how long it was there," said Shackleford, whose company provides IT solutions for businesses. "All the other factors are almost moot in comparison right there."

Maloni says one thing is clear: personal identification data such as consumers’ social security numbers, addresses, zip codes, PINs and CVV2 numbers (the three digits on the backs of credit/debit cards often used in Internet transactions) was not compromised.

What may have been compromised, he says, were card names, card numbers and expiration dates.

Another thing Maloni says he can confirm is that it wasn’t an inside job. He says the U.S. Secret Service, which is investigating the breach along with the U.S. Department of Justice, has uncovered information that leads them to believe it may involve individuals outside the U.S.

"It appears to be an international cyber crime organization – a global cyber crime organization," he said, though he wouldn’t provide any details about the countries allegedly involved.

Representatives of the U.S. Department of Justice and the U.S. Secret Service were contacted but refused to comment.

Also of interest to investigators is how the entry point criminals used to install the software on the server. Neither U.S. authorities nor Heartland have released information on this yet. Shackelford admits its speculation, but he says hackers often use badly-coded Web sites as back-doors to company servers. This would enable the hackers to plant the software from an off-site location.

"That’s the number one thing that most people are starting to have trouble with," he said. "Everybody rushed to put Web applications out there and they’re coded horribly."

 

Who’s to blame?

When it comes to prosecuting data breaches such as this, Shackleford says the international aspect can be a significant obstacle, given that some countries have no extradition laws for computer crime. In fact, he says U.S.-based criminals will often send the data from server to server, crossing through one of these countries so authorities will be unable to follow the trail.

"The minute it crosses the border into Yugoslavia, the case is almost dead," he said. "It’s crazy, right? Most people don’t realize that the Number One location in the world for online auction fraud is Romania. Romania is one of those countries, so it’s very, very difficult to prosecute things there."

Even cases in the U.S. can be difficult to prosecute, according to Shackleford, who says the data trail often leads to a computer lab at a university or public library, where it’s next-to-impossible to link the evidence to an individual user.

 

Penalties

Obviously criminals can be prosecuted, but the breach does raise questions of liability. Shackleford says the onus is on card associations like Visa and MasterCard to put the pressure on processors and merchants that get compromised. He says that pressure could come in the form of dramatically-increased transaction fees for any Visa or MasterCard transactions, or through card issuers disallowing the transaction altogether – something he says didn’t happen after the TJX case.

"Have they (TJX) really suffered at all?" he asked. "That’s the question. No. They got a slap on the wrist. They had some fines levied against them that were paltry."

At the same time, he says consumers remain indifferent to news of the breaches.

"If you as a consumer still go shop at Marshalls and pay with a credit card, even after what happened happened, then TJX pretty much gets away scott free," he said. "Consumer apathy is one major problem."

That said, it’s still unclear what actions Heartland could have taken to avoid the alleged breach. According to Maloni, the company has been PCI compliant as of April 2008.

He dismissed the suggestion that Visa and MasterCard should raise Heartland’s transaction fees.

"It serves no one to talk about stringent penalties unless we’re also going to talk about what we need to do to make sure we have stringent security," he said, adding that Heartland has created a site, www.2008breach.com, where consumers and merchants can learn more about the data compromise.

The liability factor

The real question that might worry merchants, restaurants and self-service deployers that are customers of Heartland is the issue of liability. Could they be held civilly liable for choosing a payments processor that may not have had all the necessary security measures in place?

Larry Washor, an attorney for Los Angeles-based Washor & Associates who specializes in business and technology law, says he doesn’t think so, since there is virtually no way a merchant can investigate a processor’s security measures, beyond confirming that it is PCI compliant.

"Suppose you said to the processor, ‘Hey processor, I’m concerned about security. Can I send a team in to verify the adequacy of your security measures?’" he asked. "What do you think the processor would say to you?"

However, there are some basic steps a merchant can take, he says, to make sure the processor does have a clean slate in the past.

"Check with the Better Business Bureaus as to the reputation of the processor," he said. "Some have very, very bad reputations. I could name several that I would recommend people not use, although I wouldn’t want to do it in print."



Related articles on this topic: Europe

Barcelona, Madrid airports implement kiosks with biometrics
Elo launches three POS systems for Europe
Meridian Kiosks plans European expansion
Study lists self-serve check-in kiosks at U.K. airports
Allpay teams with Wincor Nixdorf to offer kiosks in the U.K. public sector
 

© 2010 NetWorld Alliance LLC. All rights reserved.
MOST POPULAR
  • Special summit will again offer secure, open forum for deployers
  • Video game- and DVD-rental/game buy-back kiosk company e-Play suspends operations
  • Focus on Escalate Retail's new Pocket Kiosk
  • Movie Gallery cites 'cannibalization' by redbox kiosks in bankruptcy filing
  • Truck stop technology
  • Bill in Congress would mandate blind-accessible interfaces on all kiosks
  • NCR, Blockbuster continuing westward expansion
  • Iowa library builds own self-checkout kiosk, saves tens of thousands of dollars
  • Bike-share kiosk effort pedals forward in Minneapolis
  • NCR, Diebold fare better than expected, despite financial drops
    • NEWS HEADLINES
    Bill Pay: Texas students use kiosk to pay utility bills
    Patient Self-Service: Optometry group installs free vision-screening kiosks in supermarkets
    Supermarkets & Grocery: Big Y Foods implements NCR deli-ordering kiosks
    Retail - Specialty: Kiosks part of Richmond OTB saloon
    DVD Rental Kiosk: Blockbuster may soon file for bankruptcy: Report
    Europe: Barcelona, Madrid airports implement kiosks with biometrics
    New report explores the ROI of self-service in restaurants
    More News Headlines
    FEATURE STORIES
    More Feature Stories
    WHITE PAPERS
    More White Papers
    FEATURED PRODUCTS
    More Featured Products
    VIDEO GALLERY
    More Videos
    PHOTO GALLERIES
    More Photo Galleries
    ALSO ON NETWORLD ALLIANCE
    		  
     
    Kiosk Marketplace Home / Showcases / Privacy Policy / Editorial Policy / About Us / Contact Us /

    Mobile Version / Site Map / RSS / News Panel
    		 
     
     
    Other NetWorld Portals:

    Digital Screenmedia Association / ATM Marketplace / Self-Service World / Digital Signage Today
    Pizza Marketplace / QSR web / Fast Casual / Retail Customer Experience
    Church Central / Society for Church Consulting
    		  
     
    © 2010 NetWorld Alliance

    Get the latest kiosk news delivered to
    your in-box.
    Click here to sign up for free.